Exploit for Cross-site Scripting in Atmail

AWAE/OSWE Preparation for coming AWAE Training. Work in progress... Atmail Mail Server Appliance: from XSS to RCE 6.4 CVE-2012-2593 - https://www.exploit-db.com/exploits/20009 - https://github.com/sourceincite/poc/blob/master/SRC-2016-0012.py ATutor Authentication Bypass and RCE 2.2.1 CVE-2016-25...

CVE-2025-51411

A reflected cross-site scripting XSS vulnerability exists in Institute-of-Current-Students v1.0 via the email parameter in the /postquerypublic endpoint. The application fails to properly sanitize user input before reflecting it in the HTML response. This allows unauthenticated attackers to injec...

CVE-2025-51411

CVE-2025-51411 affects Institute-of-Current-Students v1.0, with a reflected XSS vulnerability in the /postquerypublic endpoint via the email parameter. The root cause is insufficient sanitization of user input, allowing an attacker-controlled string to be reflected in HTML and execute arbitrary J...

CVE-2025-51411

A reflected cross-site scripting XSS vulnerability exists in Institute-of-Current-Students v1.0 via the email parameter in the /postquerypublic endpoint. The application fails to properly sanitize user input before reflecting it in the HTML response. This allows unauthenticated attackers to injec...

CVE-2025-45892

OpenCart version 4.1.0.4 is vulnerable to a Stored Cross-Site Scripting XSS attack via the blog editor. The vulnerability arises because input in the blog's editor is not properly sanitized or escaped before being rendered. This allows attackers to inject malicious JavaScript code...

CVE-2025-47061

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they brow...

CVE-2025-46996

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they brow...

CVE-2025-46996 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they brow...

CVE-2025-46996 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they brow...

LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Operator Surname

Exploit Title: LiveHelperChat 4.61 - Stored Cross Site Scripting XSS via Operator Surname Date: 09/06/2025 Exploit Author: Manojkumar J TheWhiteEvil Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/ Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/ Software Link:...

Exploit for Cross-site Scripting in Campcodes Online_Movie_Theater_Seat_Reservation_System

XSS Exploit for CVE-2025-7840 Author: Byte Reaper @ByteR...

CVE-2025-52687

Successful exploitation of the vulnerability could allow an attacker with administrator credentials for the access point to inject malicious JavaScript into the payload of web traffics, potentially leading to session hijacking and denial-of-service DoS...

Cross-site Scripting (XSS)

org.opennms:opennms is vulnerable to Cross-site Scripting XSS. The vulnerability is due to stored XSS caused by unsanitized parameters on multiple nodes, allowing attackers to inject malicious HTML or JavaScript into database entries that are rendered on user-facing pages...

CVE-2025-52687

Successful exploitation of the vulnerability could allow an attacker with administrator credentials for the access point to inject malicious JavaScript into the payload of web traffics, potentially leading to session hijacking and denial-of-service DoS...

CVE-2025-52687 JavaScript Injection Vulnerability in the OmniAccess Stellar Web Management Interface

Successful exploitation of the vulnerability could allow an attacker with administrator credentials for the access point to inject malicious JavaScript into the payload of web traffics, potentially leading to session hijacking and denial-of-service DoS...

CVE-2025-52687

The CVE-2025-52687 issue applies to Alcatel-Lucent OmniAccess Stellar products (Web Management Interface). Affected component: web management payload handling. Root cause described in sources as ability for an attacker with administrator credentials on the access point to inject malicious JavaScr...

PT-2025-29695 · Unknown · Access Point

Name of the Vulnerable Software and Affected Versions: affected versions not specified Description: Successful exploitation of the issue could allow an attacker with administrator credentials for the access point to inject malicious JavaScript into the payload of web traffic, potentially leading ...

Alcatel-Lucent OmniAccess Stellar Products 安全漏洞

Alcatel-Lucent OmniAccess Stellar Products is a line of WiFi access points from Alcatel-Lucent, France. A security vulnerability exists in Alcatel-Lucent OmniAccess Stellar Products that stems from the possible injection of malicious JavaScript, leading to session hijacking and denial of service...

Attackers Hide JavaScript in SVG Images to Lure Users to Malicious Sites

Beware! SVG images are now being used with obfuscated JavaScript for stealthy redirect attacks via spoofed emails. Get insights from Ontinue's latest research on detection and defence...

CVE-2025-52378

Summary: CVE-2025-52378 is a stored XSS vulnerability in Nexxt Solutions NCM-X1800 Mesh Router firmware UV1.2.7 and earlier. The flaw arises from insufficient sanitization of the DEVICE_ALIAS input used by the /web/um_device_set_aliasname endpoint, enabling an attacker to inject JavaScript that r...